CN104753887A - Safety control implementation method and system and cloud desktop system - Google Patents
Safety control implementation method and system and cloud desktop system Download PDFInfo
- Publication number
- CN104753887A CN104753887A CN201310751050.9A CN201310751050A CN104753887A CN 104753887 A CN104753887 A CN 104753887A CN 201310751050 A CN201310751050 A CN 201310751050A CN 104753887 A CN104753887 A CN 104753887A
- Authority
- CN
- China
- Prior art keywords
- terminal
- server
- user
- cloud desktop
- described terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Abstract
The invention discloses a safety control implementation method and system and a cloud desktop system. The method comprises establishing a cloud desktop system based on a cloud desktop technology; establishing connection between the cloud desktop system and a terminal; achieving safety control of the cloud desktop system over the terminal through the interaction between the cloud desktop system and the terminal. By means of the safety control implementation method and system and the cloud desktop system, the cloud desktop technology is introduced, defects of prior terminal network access and the safety control system are compensated, the system deployment mode is changed, integral control is achieved, the terminal access safety is improved, and the system safety risk is reduced.
Description
Technical field
The present invention relates to the communications field, in particular to a kind of security management and control implementation method, system and cloud desktop system.
Background technology
The foreground salesperson terminal of business support system (be called for short BOSS system) comprising: own transmission terminal and non-own transmission terminal, and wherein, own transmission terminal refers to has by our company our company's terminal that link carries out network insertion and Operational Visit by oneself; Non-own transmission terminal refers to and adopts procotol secure virtual private network (Internet Protocol Security Virtual Private Network, referred to as IPSec VPN) or safe socket layer virtual private network (Secure Sockets Layer Virtual Private Network, referred to as SSL VPN) mode carried out other company computer's terminals of network insertion and Operational Visit through our company's interface by third company's transmission link.
After own transmission terminal is connected to prefectures and cities' convergence switch from affiliated business hall access network device, carry out Operational Visit by Intranet and BOSS network interconnection link.After logging in system by user, redirect 4A carries out login authentication in interface, user inputs user name and static password in login page, submit to and waiting system checking, after static password is verified, user uses the dynamic password received to carry out secondary login authentication, and dynamic password verification can log in interface, BOSS foreground after passing through.
Non-own transmission terminal user is by after access Web page login system, and redirect 4A carries out login authentication in interface, and authentication mode is identical with own transmission terminal, repeats no more herein.
At present, terminal security management and control problem for above-mentioned two kinds of access waies is mainly started with from two aspects solution, the first, use terminal management software to carry out terminal self testing, anti-virus inspection and the inspection of software compliance, force terminal software-hardware configuration information to meet access standard; The second, carry out the networking of terminal, manage from the procedure examination & approval of the Life cycle of the alter operations such as net, avoid the access privately without examination & approval terminal.For these two aspects, introduce in detail below.
1, terminal management software realization mode
By building unified terminal access control platform, dispose that terminal access control gateway and terminal management client software simulating carry out the computer-implemented access control of Operational Visit to access BOSS network, inspections of terminal software compliance, anti-virus inspection, patch upgrade, move media memory devices such as () USB flash disk, floppy disk, CDs and security management and control, prevent external computer or computer against regulation from accessing in internal network; In real time, dynamically overall network safe condition is grasped, set up real time security evaluation system, grasp the safe operation situation of inner various terminal access device, for attendant provides management maintenance convenience, for decision-making, deployment secure task provide support, by providing information security management means, improve terminal security regulatory level, improve Audit Mechanism, meet the needs of current development to salesperson terminal security management and control.Specifically can see Fig. 1.
Wherein, dispose terminal access control gateway, can prevent external, do not meet terminal access criteria and require the terminal access internal network access resources with security strategy, realize the asset management to all personal computers and control, in real time, dynamically overall network safe condition is grasped, set up real time security evaluation system, according to security evaluation, security hardening, centralized maintenance thinking, automation management and control is carried out to salesperson terminal that is own and non-own transmission.
2, procedure examination & approval management implementation
System is cured for terminal access flow process and realizes a locking terminal access examination & approval management work order flow process, as shown in the figure, all terminals networks, configuration or equipment changing, all need applicant in terminal security managing and control system, submit corresponding work order to from net etc., just enter the applicant of network termination, affiliated districts and cities, business hall and examination & approval effective time through keeper can network after authorizing, terminal wealth and flow of personnel information all leave work order record.
In sum, current terminal security access management and control mode is terminal management software and procedure examination & approval management, but because all kinds of terminal configuration of access network and software installation situation vary, terminal checking process and workflow examination and approval link consuming time longer, management and control efficiency is lower.It is higher that terminal for third company carries out pressure management and control difficulty, and relate to system and comparatively disperse, O&M cost is higher, when generation systems fault, because current system framework is server cluster pattern, disaster tolerance system is long-distance disaster, data and log information carry out schedule backup, but along with the increase of terminal quantity and the expansion of traffic carrying capacity, memory space is sharply deficient, and disaster tolerance switching needs network to coordinate adjustment corresponding strategy, switching time is longer, cannot disaster tolerance switching be carried out in time and repair fast, and then affect business handling stability, operation system is caused to there is potential huge security risk.
Summary of the invention
The invention discloses a kind of security management and control implementation method, system and cloud desktop system, to solve management and control inefficiency in correlation technique, force management and control difficulty high, and relate to system and comparatively disperse, O&M cost is higher, cannot carry out the problems such as disaster tolerance switching in time.
According to an aspect of the present invention, a kind of security management and control implementation method is provided.
Security management and control implementation method according to the present invention comprises: build cloud desktop system based on cloud desktop technology; Set up the connection of above-mentioned cloud desktop system and terminal; Via realizing above-mentioned cloud desktop system alternately to the security management and control of above-mentioned terminal between above-mentioned cloud desktop system and above-mentioned terminal.
According to a further aspect in the invention, provide a kind of security management and control and realize system.
Security management and control according to the present invention realizes system and comprises: terminal, for setting up the connection between cloud desktop system; Based on the above-mentioned cloud desktop system that cloud desktop technology builds, for setting up the connection with above-mentioned terminal, via the mutual realization between above-mentioned terminal to the security management and control of above-mentioned terminal.
According to another aspect of the invention, a kind of cloud desktop system is provided.
According to cloud desktop system of the present invention, based on cloud desktop technology build, comprising: connected system, for setting up the connection with terminal, interactive system, for via the mutual realization between above-mentioned terminal to the security management and control of above-mentioned terminal.
By the present invention, the introducing of cloud desktop technology, compensate for the deficiency of the access of existing terminal network and security management and control system, improves system deployment mode, achieve centralized control, improve terminal access security, reduce system safety hazards.
Accompanying drawing explanation
Fig. 1 is the network architecture diagram of terminal access in correlation technique;
Fig. 2 is the flow chart of the security management and control implementation method according to the embodiment of the present invention;
Fig. 3 is that security management and control realizes the networking schematic diagram of system according to the preferred embodiment of the invention;
Fig. 4 is according to the preferred embodiment of the invention based on the schematic diagram of IPSec VPN technologies access;
Fig. 5 is according to the preferred embodiment of the invention based on the schematic diagram of SSLVPN technology access;
Fig. 6 is that terminal carries out the schematic flow sheet registered according to the preferred embodiment of the invention;
Fig. 7 be according to the preferred embodiment of the invention cloud desktop system to the schematic flow sheet of terminal authentication;
Fig. 8 is the schematic flow sheet of security management and control implementation method according to the preferred embodiment of the invention;
Fig. 9 is the structured flowchart realizing system according to the security management and control of the embodiment of the present invention; And
Figure 10 is the structured flowchart of cloud desktop system according to the preferred embodiment of the invention.
Embodiment
Below in conjunction with Figure of description, specific implementation of the present invention is made a detailed description.
According to the embodiment of the present invention, additionally provide a kind of security management and control implementation method.
Fig. 2 is the flow chart of the security management and control implementation method according to the embodiment of the present invention.As shown in Figure 2, this security management and control implementation method comprises:
Step S201: build cloud desktop system based on cloud desktop technology;
Step S203: the connection of setting up above-mentioned cloud desktop system and terminal;
Step S205: via realizing above-mentioned cloud desktop system alternately to the security management and control of above-mentioned terminal between above-mentioned cloud desktop system and above-mentioned terminal.
In correlation technique, terminal security access management and control mode be terminal management software and procedure examination & approval management, terminal checking process and workflow examination and approval link consuming time longer, management and control efficiency is lower.When generation systems fault, because current system framework is server cluster pattern, along with the increase of terminal quantity and the expansion of traffic carrying capacity, memory space is sharply deficient, and disaster tolerance switching needs network to coordinate adjustment corresponding strategy, switching time is longer, cannot carry out disaster tolerance switching in time and repair fast, and then affect business handling stability, cause operation system to there is potential huge security risk.The method shown in Fig. 1 of employing, introducing cloud desktop technology, by disposing virtual desktop system on the server, realizing unified terminal access and security management and control; Be configured for user right, realize terminal hardware system and cloud desktop software system physical is isolated, compensate for the deficiency of the access of existing terminal network and security management and control system, improve system deployment mode, achieve centralized control, reduce O&M cost, improve terminal access security, reduce system safety hazards.
Below in conjunction with the group-network construction shown in Fig. 3, the system realizing security management and control is introduced.The whole system network architecture divides 4 main region: user accesses region, DMZ region, core exchange area, BOSS service application region.Wherein:
User access area: Add User territory convergence switch.This region mainly realizes following functions as user's access with " point man " of interior business network:
1, for the business hall of the whole province's dispersion provides concentrated network interface;
2, assume responsibility for the heavy burden of gateway and three layers of route forwarding function, be responsible for Access control strategy, flow load sharing performs.
DMZ(isolated area) region: increase DMZ region access switch, load-balanced server newly.As shown in Figure 3, in DMZ region, mainly comprise: RDS server pools, AD domain server, file server and conversation server etc.Major function is as follows:
1, completing user secure accessing examination & verification;
2, the network insertion of cloud desktop is realized;
Core exchange area: core exchange layer is as the final recipient of all flows and convergence person, and the emphasis of task possesses redundant ability, reliability and transfer of data at a high speed.During planned network, mainly consider redundancy, high efficiency, do not do any network-based control at this layer.The major function in this region is as follows:
1, user accesses region and forwards user's access demand to core application layer.
2, the high speed forward of data is completed.
BOSS service application region: mainly comprise BOSS service server, receives and responds user access request, showing response results to user.
Preferably, in step S203, the connection of setting up above-mentioned cloud desktop system and terminal can comprise following process:
Step 1, above-mentioned terminal send the request obtaining Internet usage power to VPN (virtual private network) (VPN) equipment;
Step 2, above-mentioned terminal receive the checking request coming from above-mentioned VPN device, send user authentication information to above-mentioned VPN device;
Step 3, after above-mentioned user authentication information to send to authentication server to verify coupling by above-mentioned VPN device, above-mentioned terminal receives the address with access rights coming from above-mentioned VPN device.
Wherein, VPN device includes but not limited to: IPSec VPN device, SSL VPN device.
In specific implementation process, as shown in Figure 4, terminal is accessed by IPSec VPN device, the IPSec VPN technologies of current employing are EASY VPN technologies, can in the export deployment of BOSS system and Internet some PIX535, as EASY VPN SERVER, business hall terminal can install CiscoSystems VPN Client software, when setting up VPN connection, as EASY VPN Client.EASYVPN SERVER has the route to BOSS service server, when terminal use is connected to EASY VPN SERVER by EASY VPNClient, EASY VPN SERVER selects available IP address in the IP address pool preset, and distributes to this client.After connection establishment, client and BOSS application system are in same VLAN temporarily, can as general Local Area Network, and finishing service is accessed.
In specific implementation process, as shown in Figure 5, terminal is by SSLVPN equipment access, SSLVPN is the VPN technologies based on B/S structure, some F5firepass4300VPN access devices can be deployed at BOSS Internet exportation, this proxy for equipment terminal use and BOSS server system carry out alternately, the page request (adopting HTTPS agreement) from remote browser is transmitted to Web server, then the response of server is returned to terminal use.
Preferably, in step S205, may further include alternately between above-mentioned cloud desktop system and terminal:
Process 1: above-mentioned cloud desktop system is verified above-mentioned terminal, and wherein, the mode of checking comprises: user name and static password are verified; Unifiedly calculate based on the international mobile equipment identification code IMEI of above-mentioned terminal, thin client mark verify with static password; And dynamic verification code checking;
Process 2: when being verified, and above-mentioned terminal is current when there is not session, above-mentioned cloud desktop system is above-mentioned terminal distribution remote server;
Process 3: the application program operated on above-mentioned remote server with user right configuration is presented in above-mentioned terminal by above-mentioned cloud desktop system.
Preferably, before execution process 1, can comprise the following steps (namely terminal is registered):
Step 1: when above-mentioned endpoint registration, above-mentioned thin client is connected with above-mentioned terminal the IMEI obtaining above-mentioned terminal by bluetooth;
Step 2: above-mentioned IMEI and this thin client mark are sent to the certificate server in above-mentioned cloud desktop system by above-mentioned thin client;
Step 3: above-mentioned certificate server identifies with above-mentioned static password for parameter calculates with above-mentioned IMEI, above-mentioned thin client, and preserves above-mentioned result of calculation.
Preferably, in process 1, unifiedly calculate checking based on the international mobile equipment identification code of above-mentioned terminal, thin client mark can comprise the following steps with static password:
Step 1: the thin client in above-mentioned cloud desktop system is connected with above-mentioned terminal the IMEI obtaining above-mentioned terminal by bluetooth;
Step 2: above-mentioned IMEI and this thin client mark are sent to the certificate server in above-mentioned cloud desktop system by above-mentioned thin client;
Step 3: above-mentioned certificate server identifies with above-mentioned static password as parameter calculates with above-mentioned IMEI, above-mentioned thin client, the result of calculation got and the result of calculation of preserving during registration are compared, when more consistent, determine to be proved to be successful.
Preferably, in process 1, dynamic verification code proof procedure may further include following steps:
Step 1: when the above-mentioned result of calculation got is consistent with the result of calculation of preserving during registration, the remote date transmission RDS server triggers of above-mentioned cloud desktop system produces above-mentioned dynamic verification code and is handed down to above-mentioned terminal;
Step 2: above-mentioned RDS server receives the dynamic verification code coming from above-mentioned terminal;
Step 3: the dynamic verification code of above-mentioned reception is sent to dynamic verification code certificate server and verifies by above-mentioned RDS server, when this dynamic verification code is consistent with the identifying code preserved in advance, determines to be proved to be successful.
In preferred implementation process, user's access security comprises basic static subscriber's name/password identification authentication mode and the unique identification by the IMEI(mobile terminal of Bluetooth Communication Technology)+thin client ID unified calculation checking triggering dynamic verification code Dual-factor identity authentication mode.The subscriber authentication that basic usemame/password identification authentication mode uses AD integrated, support Cipher Strength/complexity and cryptoperiod rule, by group policy, unified or grouping adjusts, therefore possess in conjunction with existing security strategy and specification, implementation cost and risk lower, do not affect the advantage such as Consumer's Experience and use habit.
Dual-factor identity authentication mode based on cloud desktop is then mobile terminal IMEI, thin client ID and user's static password are unifiedly calculated by the Bluetooth communication based on mobile phone terminal and thin client on this basis, determining the Dual-factor identity authentication mode of user authentication identity and then triggering dynamic verification code, there is many drawbacks in the two-factor authentication note dynamic code mode of correlation technique:
1, the process that issues of dynamic code depends on the reliability of Short Message Service Gateway and the network connectivty of Short Message Service Gateway and mobile phone terminal, if there are some links to go wrong (such as Short Message Service Gateway note overstocks, server and Short Message Service Gateway internet fault etc.) in whole link, correctly cannot issue dynamic note code, and then user cannot normally certification.
2, because issuing of note code is associated with Mobile phone card number, and along with the development of sim card reproduction technology, mobile phone sim card can be replicated and carry out fraudulent activity, and therefore dynamically short message verification code exists the risk that is stolen.
3, dynamically the triggering of short message verification code cannot confirm that whether the mobile phone owner (people) is consistent with mobile phone (thing) position, namely whether be that the mobile phone owner triggers short message verification code, if mobile phone is lost and static password victim obtains in modes such as social engineerings, then assailant can carry out the illegal operations such as different-place login.
Based on above problem, for the dynamic short-message verification coding mode password loss avoiding traditional double factor authentication, the risk that is cracked, by Bluetooth Communication Technology, mobile terminal IMEI, thin client ID and user's static password are unifiedly calculated, determine that the Dual-factor identity authentication mode of user authentication identity and then triggering dynamic verification code verifies the identity of its computer network visiting subscribers.Details are as follows for proof procedure:
For convenience of description, in literary composition, agreement represents that symbol is as follows:
IMEIM---mobile terminal identify label;
IDC---thin client identify label;
KEY---user's static password identifies;
R---random verification code;
F{KEY (IMEIM, IDC, IMEIM+IDC) }---calculate with certification identification code KEY the authentication of message code that IMEI, ID, IMEI+ID are parameter.
1, registration phase
Fig. 6 is that terminal carries out the schematic flow sheet registered according to the preferred embodiment of the invention.As shown in Figure 6, this flow process mainly comprises:
Step 1: user opens bluetooth to terminal (such as, mobile terminal) and connects.
Step 2: mobile terminal and thin client machine carry out blueteeth network and be connected, and set up encrypted communication tunnel.
Step 3: thin client starts mobile phone authentication service program.
Step 4: thin client obtains mobile phone terminal IMEIM (i) { i is the natural number from 1-n } by communication tunnel.
Step 5: IMEIM (i) and thin client identify label IDC (i) are tied and obtain IMEI M (i)+IDC (i) and be sent to certificate server by thin client.
Step 6: certificate server receives static password mark KEY (i) coming from user's input.
Step 7: certificate server user's static password mark KEY (i) calculates Y (i), and see formula (1), after certificate server successfully preserves Y (i), the registration process of mobile terminal terminates.
Y(i)=F{KEY(i)(IMEIM(i),IDC(i),IMEIM(i)+IDC(i))}(1)
2, authentication phase
Fig. 7 be according to the preferred embodiment of the invention cloud desktop system to the schematic flow sheet of terminal authentication.As shown in Figure 7, this flow process mainly comprises:
Step 1: user opens bluetooth to terminal (such as, mobile terminal) and connects.
Step 2: mobile terminal and thin client carry out blueteeth network and be connected, and set up encrypted communication tunnel.
Step 3: thin client starts mobile phone authentication service program.
Step 4: thin client obtains mobile phone IMEIM (j) { j is the natural number from 1-n }.
Step 5: IMEIM (j) is sent to certificate server with thin client identify label IDC (j) by thin client.
Step 6: thin client sends certificate server after obtaining the static password password that user inputs at login page.
Step 7: IMEIM (j) is obtained IMEIM (j)+IDC (j) with thin client identify label IDC (j) is united by certificate server, simultaneously, authentication server computes Y (j) is sent, specifically see formula (2) after obtaining the static password password that user inputs at login page.
Y(j)=F{KEY(j)(IMEIM(j),IDC(j),IMEIM(j)+IDC(j))}(2)
Step 8: certificate server judges that whether the authentication of message code of twice acquisition is consistent;
Step 9: if Y (i)=Y (j), certification is legal, certificate server triggers and produces random number R.If Y (i) ≠ Y (j), certification is illegal, and prompt for disabled user's certification, the certification of cloud desktop terminates.
Step 10: connected by blueteeth network and send to mobile terminal client terminal.
Step 11: after client receives R, user U inputs random verification code R information on cloud desktop server.
Step 12: checking is effectively then authorized, performs the operations such as initialization interface.
In sum, the dynamic bluetooth of mobile phone terminal+IMEI two-factor authentication greatly improves the fail safe of access, support main flow bluetooth equipment manufacturer product, short-range authentication access solution, thin client device by the application program that can increase work efficiency, provide a kind of authentication solution efficiently.
Preferably, in above-mentioned process 2, when being verified, and above-mentioned terminal is current when there is not session, and above-mentioned cloud desktop system is that above-mentioned terminal distribution remote server can comprise the following steps:
Step 1: when being verified, the conversation server in above-mentioned cloud desktop system inquires about whether above-mentioned terminal is current exists session;
Step 2: when not inquiring above-mentioned terminal session, above-mentioned conversation server sends Query Result to above-mentioned RDS server, and notifies that above-mentioned RDS server is the above-mentioned remote server of above-mentioned terminal distribution;
Step 3: above-mentioned RDS server is the remote server of above-mentioned terminal distribution optimum according to RDS resource pool server state.
Preferably, in above-mentioned process 3, the application program operated on above-mentioned remote server with user right configuration is presented in above-mentioned terminal and can comprises the following steps by above-mentioned cloud desktop system:
Step 1: above-mentioned remote server receives the request coming from the acquisition user configuration information of above-mentioned terminal;
Step 2: above-mentioned request is sent to configuration server by above-mentioned remote server;
Step 3: above-mentioned configuration server inquiring user authority storehouse, is confirmed whether the user's claim file that there is this terminal;
Step 4: if existed, then notify that above-mentioned RDS server downloads this user right configuration file; If there is no, then notifying above-mentioned RDS server, is that above-mentioned terminal generates new user right configuration file to make above-mentioned RDS server according to security configuration template;
Step 5: the application program operated on above-mentioned remote server with user right configuration is presented in above-mentioned terminal by above-mentioned remote server.
Preferably, after the application program operated on above-mentioned remote server with user right configuration is presented in above-mentioned terminal by above-mentioned cloud desktop system, also comprise following process (namely occur unusual condition, adopt and automatically keep technology):
Step 1: when above-mentioned remote server cannot receive the user instruction coming from above-mentioned terminal, initiate to open auto state and keep request, session status rests on current state and hangs up;
Step 2: if above-mentioned remote server receives the user instruction coming from above-mentioned terminal in the given time, automatically keep function to come into force, above-mentioned remote server recovers the service interaction with BOSS server; If not, automatically keep disabler, initiate to delete User Status and close service request.
In preferred implementation process, the safe transmission between cloud desktop system and terminal depends on the R. concomitans of following three kinds of technology:
1, Transmission Encryption is realized by ssl tunneling
SSL tunnel is used to guarantee to encrypt completely all connections, and intelligent card subscriber must use SSL, therefore, be ensure that the safety of transmission by tunnel encryption, enable/forbid SSL by tactful flexible configuration, can with main flow SSL VPN scheme Seamless integration-.
2, auto state keeps technology
Adopt this technology automatically to detect and connect disconnection, and automatically preserve User Status; In the scheduled time, (such as, 30 seconds) reconnects session automatically, and automatically recovers User Status.Therefore, possessing without the need to again logging in, reducing user and interrupting, significantly can improve Consumer's Experience.
3, carry out terminal user authority management by file security configuration server, improve the fail safe of outer net desktop access
The file security configuration server being placed in place of safety supports that intranet and extranet network connects.Therefore, data are retained within data center, strengthen the security control to data, support cryptographically to access desktop from all end points, what simplify the centralized control that uses about desktop and data and examination & verification follows work, can the existing all remote terminals of compatibility.
In preferred implementation process, Information Security mainly realizes based on following three kinds of technology:
1, clipbook controls
Can according to the safety requirements of cloud desktop server to terminal, allow forbid that the pasting boards of client and virtual desktop copies, or unidirectional replication stickup.Therefore, possess by policy-flexible configuration allow forbid that the pasting boards of client and virtual desktop copies, strategy can be inherited or be applied to separately certain computer pond, support the advantages such as unidirectional replication stickup.
2, USB policy control
Configured by security strategy, can realize allow forbid that USB maps, USB storage read-only, forbid USB by strategy.Therefore, possess by policy-flexible configuration allow forbid that USB maps, strategy can inherit or be applied to separately certain computer pond, support the USB storage advantage such as read-only.
3, exempt to load anti-virus process for terminal provides by configuration endpoint device
By removing the anti-virus agent in each virtual machine, the function of anti-virus is given the safe VM process provided by anti-virus manufacturer, and use the driving in virtual machine to enforce, by UI or REST API implementation strategy and configuration management, support log recording and audit.Therefore, possess and improve performance by being separated virus killing function with the cooperation of anti-virus manufacturer, improve the performance of virtual machine especially by removal anti-virus agent, by removing responsive agency and enforcing reduction risk, meeting the advantages such as audit demand by recording anti-virus task in detail.
4, cloud desktop system reliability
As the masters of security management and control in terminal and cloud desktop reciprocal process, the safety and reliability of cloud desktop system is even more important.By upgrade management server configuration management server carry out unified virtual platform, virtual machine, operating system, or even the patch management of application program, thus possess use unified console carry out patch safety management function, can carry out integrated with the technology such as snapshot, backup, to guarantee after the system failure can fast, the accurate advantage such as rollback.
The interaction flow of example to terminal and cloud desktop system below in conjunction with Fig. 8 is described.
Fig. 8 is the schematic flow sheet of security management and control implementation method according to the preferred embodiment of the invention.As shown in Figure 8, this security management and control implementation method mainly comprises following process (step S801 is to step S829):
First stage (not shown in Fig. 8): terminal access cloud desktop system.
Before execution step S801, terminal needs to be connected with cloud desktop system, and main employing usemame/password identification authentication mode, ssl tunneling Transmission Encryption technology realize terminal access security, specifically comprise:
Step 1: user's request with after the encryption of tunnel transmission cryptographic algorithm, is sent to IPSec VPN or SSLVPN equipment, the right to use of acquisition request Internet resources by terminal.
Step 2:VPN receives user's request, asks for authorization information to terminal use.Terminal use inputs user name and password, to obtain corresponding network access authority.
Step 3:VPN, by the user name that receives and password information, issues AAA authentication server, verifies, after checking coupling, to the vpn server notice that sends that the match is successful.After notice that vpn server receives that the match is successful, issue the IP address with access rights to terminal.
Step 4: after step 3 terminates, remote terminal obtains the authority of access cloud desktop system.User calls remote desktop program at local terminal desktop, starts and cloud desktop platform reciprocal process.
Second stage: terminal and cloud desktop system mutual.
Terminal connects cloud desktop access BOSS system, main employing usemame/password identification authentication mode, Dual-factor identity authentication mode, improved the fail safe of outer net desktop access by file security configuration server mode, exempt to load the fail safe of anti-virus process raising distance host for terminal provides by configuration endpoint device.As shown in Figure 8, mainly comprise:
Step S801: terminal calls remote desktop program, request logs in RDS server.
Step S802:RDS server receives terminal request, requires that terminal sends " please input user name and password ".
Step S803: mobile terminal and thin client carry out bluetooth and be connected, obtains mobile terminal IMEI.Meanwhile, terminal use inputs the user name and password, and request server is verified.
Step S804:RDS server receives the user profile that user sends, and is transmitted to AD domain server and certificate server carries out subscriber authentication.Meanwhile, mobile terminal IMEI+thin client id number is sent to certificate server by thin client.
User profile in this user profile and database contrasts by step S805:AD domain server, and the match is successful.Certificate server to mobile terminal IMEI+thin client id number and static password for parameter calculates, and compare with mobile telephone registration information, comparison result is returned to RDS server, inform that RDS server can trigger dynamic verification code and issue dynamic verification code to terminal use, require that terminal sends " please input dynamic verification code ".Terminal use inputs dynamic verification code, and request server is verified.
RDS server receives the verification code information that user sends, and is transmitted to dynamic verification code certificate server and carries out dynamic verification code checking.Verification code information in this identifying code and database contrasts by dynamic verification code certificate server, and the match is successful.The result is returned to RDS server, inform that RDS server is this user resource allocation.
Step S806: send this user profile to conversation server, whether this user of queued session server lookup has already present session.
Step S807: after conversation server inquiry, do not inquire the session of this user, send Query Result to RDS main frame, notify that it is that terminal use distributes a RDS distance host.
Step S808:RDS server receives the Query Result that conversation server is sent, and checks RDS resource pool server state, for user distributes the operational distance host possessing optimum performance.
Step S809:RDS pond, by the distance host desktop distributed for this user, pushes user terminal desktop to.
Step S810: terminal use obtains distance host, wants user configuration information to distance host, and RDS receives user's request, and this request is sent to file security configuration server.To the inquiry of file security configuration server and the configuration information of this users all.
Step S811: file security configuration server inquiring user authority storehouse, learns the user right information having had this user in storehouse, to RDS response of host " this user right information exists "; If the user right file of not this user in user right storehouse, then to RDS response of host " authority of not this user in system, be please its distribution system default privilege file configuration according to system default mode ".
After step S812:RDS distance host receives the response that file security server makes: 1. file server has existed the competence profile of this user, and RDS remote server downloads the competence profile of this user; 2. the competence profile of not this user in file server, RDS remote server according to security configuration masterplate, for this user distributes a new user right profile information.
Step S813: to be represented by Web vector graphic RDP agreement with the RDS distance host of user personality priority assignation and show on the subscriber terminal.
Carry out the VM process of endpoint device configuration and unified security, and use the driving in virtual machine to enforce, by UI or REST API to RDS distance host implementation strategy and configuration management, and carry out log recording and audit.
RDP data packet head generative process comprises: initiation parameter, produce standard header, produce RDP particular header and header and send, and comprises the transmission control character implication of following functions in header: sequence begins, literary composition begins, literary composition eventually, send complete, inquiry, confirmation, escape, deny, synchronously, block is whole; For the transmission control character implication that also can comprise specific function in different communication protocol header.
Phase III: terminal is by cloud desktop access BOSS system.
Step S814:RDS server sends recording user session request to conversation server
Step S815: conversation server response RDS server request, informs and starts to carry out increment preservation to user conversation
Step S816: user inputs the instruction of BOSS page invocation, sends RDS distance host to by network
The page invocation request that step S817:RDS distance host receives, initiates page invocation request to BOSS server.
Step S818:BOSS server is made response, is sent the BOSS system page to RDS distance host by network after receiving the page invocation request that RDS sends.
Step S819:RDS distance host pushes by network the BOSS system page received to terminal use, is presented on LUT main frame
Step S820: user inputs BOSS business handling instruction, sends RDS distance host to by network.
The business handling request that step S821:RDS distance host receives, handles interface call request to BOSS server service.
Step S822:BOSS server is made response, is sent the BOSS business handling page to RDS distance host by network after receiving the page invocation request that RDS sends.
Step S823: customer service request result shows.
User uses the distance host transacting business of acquisition.In the process of business handling, main employing clipbook controls, USB policy control improves Information Security in reciprocal process.
1, terminal use uses clipbook, USB function, and the clipbook of user, USB function use request to send to file security configuration server by cloud desktop server, inquire about this user right class information to file security configuration server.
2, file security configuration server inquiring user authority storehouse, learning to have had in storehouse that this user's license information, to the response of cloud desktop server " this user authorizes, allows to use "; If the use information of not this user in user right storehouse, then to the response of cloud desktop server " in system not this user license information, refusal uses, and please apply for as used ".
3, after cloud desktop server receives the response of file security configuration server: 1. allow terminal use to use clipbook, USB function; 2. refuse terminal use and use clipbook, USB function, provide application open connection.
Fourth stage: business hall Network Abnormal disconnects and responding with desktop, the ability that continues of having no progeny during the main reliability adopting auto state to keep technology and cloud platform promotes and failover capability.Mainly comprise:
Step S824: terminal use and cloud desktop RDS distance host disconnect, and return local desktop.Meanwhile, RDS distance host cannot receive the instruction of user's input.
RDS distance host, because receiving user instruction, is supspended with the session of BOSS server, and RDS distance host sends to cloud desktop server and opens auto state maintenance request.
Step S825: after cloud desktop server receives auto state maintenance request, start auto state and keep function, session status rests on current state and hangs up.
RDS distance host: 1. receive user instruction in 30 seconds, network connects recovery, and auto state keeps function to come into force, and system carries out accurate rollback, automatically recovers the service interaction with BOSS server; 2. do not receive user instruction in 30 seconds, network keeps disconnection, auto state keeps disabler, initiates to delete User Status close service connection request to cloud desktop server.
User Status request deleted by cloud desktop server response RDS distance host, deletes User Status, closes and be connected with the service interaction of BOSS server.
Step S826: business hall network-in-dialing, repeats the step S801 to S807 of second stage.
Step S827: the RDS distance host making response, according to the user ID that conversation server is beamed back, downloads the configuration file of this user.
Step S828: user logs in RDS distance host, again obtains session link.Continue input instruction.
The business handling instruction that step S829:RDS distance host receives, recovers the service interaction with BOSS server.
As can be seen here, by network virtualization technology, terminal security management and control technology, achieve the safety management under desktop cloud terminal, improve terminal security regulatory level, add user security examination & verification simultaneously, user mobile phone IMEI and thin client terminal are bound, connected by bluetooth and realize user authentication, achieve low cost, high security.
According to the embodiment of the present invention, additionally provide a kind of security management and control and realize system.
Fig. 9 is the structured flowchart realizing system according to the security management and control of the embodiment of the present invention.As shown in Figure 9, this security management and control realizes system and comprises: terminal 10, for setting up the connection between cloud desktop system; Based on the above-mentioned cloud desktop system 20 that cloud desktop technology builds, for setting up the connection with above-mentioned terminal, via the mutual realization between above-mentioned terminal to the security management and control of above-mentioned terminal.
Preferably, said system can also comprise: VPN device (Fig. 9 is not shown), for receiving the request of the acquisition Internet usage power that above-mentioned terminal sends, checking request is sent to above-mentioned terminal, reception comes from the user authentication information of above-mentioned terminal and sends to authentication server to verify, when verifying coupling, send the IP address with access rights to above-mentioned terminal; Authentication server (Fig. 9 is not shown), for verifying above-mentioned user authentication information.
In correlation technique, system architecture is server cluster pattern, and along with the increase of terminal quantity and the expansion of traffic carrying capacity, memory space is sharply deficient, and disaster tolerance switching needs network to coordinate adjustment corresponding strategy, and switching time is longer, and Consumer's Experience is poor.In addition, system concurrency disposal ability is more weak, cannot meet the concurrent processing requirement of Operational Visit peak period; The mobility of manufacturer attendant and irregular property are that management brings difficulty; Part manufacturer attendant can touch in-company relevant significant data due to need of work, therefore also easily to become estranged the risk of leaking along with a large amount of terminals and mobile device produce data flow.Because the cloud desktop system shown in Fig. 9 builds based on cloud desktop technology, introducing cloud desktop technology, by disposing virtual desktop system on the server, realizing unified terminal access and security management and control; Be configured for user right, realize terminal hardware system and cloud desktop software system physical is isolated, compensate for the deficiency of the access of existing terminal network and security management and control system, improve system deployment mode, achieve centralized control, reduce O&M cost, improve terminal access security, reduce system safety hazards.
According to the embodiment of the present invention, additionally provide a kind of cloud desktop system.
Figure 10 is the structured flowchart of cloud desktop system according to the preferred embodiment of the invention.Wherein, this cloud desktop system builds based on cloud desktop technology, and as shown in Figure 10, this cloud desktop system comprises: connected system 30, for setting up the connection with terminal; Interactive system 40, for via the mutual realization between above-mentioned terminal to the security management and control of above-mentioned terminal.
Cloud desktop system shown in Figure 10 builds based on cloud desktop technology, introducing cloud desktop technology, by disposing virtual desktop system on the server, realizing unified terminal access and security management and control; Be configured for user right, realize terminal hardware system and cloud desktop software system physical is isolated, compensate for the deficiency of the access of existing terminal network and security management and control system, improve system deployment mode, achieve centralized control, reduce O&M cost, improve terminal access security, reduce system safety hazards.
Preferably, above-mentioned interactive system 40, be further used for verifying above-mentioned terminal, wherein, the mode of checking comprises: user name and static password are verified; Unifiedly calculate based on the international mobile equipment identification code IMEI of above-mentioned terminal, thin client mark verify with static password; And dynamic verification code checking; When being verified, and above-mentioned terminal is current when there is not session, is above-mentioned terminal distribution remote server; And the application program operated on above-mentioned remote server with user right configuration is presented in above-mentioned terminal.
Preferably, above-mentioned interactive system 40 can comprise: thin client, for being connected with above-mentioned terminal the IMEI obtaining above-mentioned terminal by bluetooth; Above-mentioned IMEI and this thin client mark are sent to certificate server; Above-mentioned certificate server, for, with above-mentioned static password comparing the result of calculation got and the result of calculation of preserving when registering for parameter calculates, when more consistent, determine to be proved to be successful with above-mentioned IMEI, above-mentioned thin client mark.
Preferably, above-mentioned interactive system 40 can comprise: RDS server, for when above-mentioned certificate server authentication success, triggers producing above-mentioned dynamic verification code and be also handed down to above-mentioned terminal; Receive the dynamic verification code coming from above-mentioned terminal; The dynamic verification code of above-mentioned reception is sent to dynamic verification code certificate server; Above-mentioned dynamic verification code certificate server, for when this dynamic verification code is consistent with the identifying code preserved in advance, determines to be proved to be successful.
Preferably, above-mentioned interactive system 40 can comprise: conversation server, for when being verified, inquires about whether above-mentioned terminal is current exists session; When not inquiring above-mentioned terminal session, send Query Result to RDS server; Above-mentioned RDS server, for according to RDS resource pool server state being the remote server of above-mentioned terminal distribution optimum.
Preferably, above-mentioned interactive system 40 can comprise: above-mentioned remote server, for receiving the request of the acquisition user configuration information coming from above-mentioned terminal; Above-mentioned request is sent to configuration server; The application program operated on above-mentioned remote server with user right configuration is presented in above-mentioned terminal; Above-mentioned configuration server, for inquiring user authority storehouse, is confirmed whether the user's claim file that there is this terminal; RDS server, also for when there is user's claim file of this terminal, downloads this user right configuration file; When there is not user's claim file of this terminal, be that above-mentioned terminal generates new user right configuration file according to security configuration template.
Preferably, above-mentioned interactive system 40 can comprise: above-mentioned remote server, and during for receiving the user instruction coming from above-mentioned terminal, initiate to open auto state and keep request, session status rests on current state and hangs up; If receive the user instruction coming from above-mentioned terminal in the given time, automatically keep function to come into force, recover the service interaction with BOSS server; If not, automatically keep disabler, initiate to delete User Status and close service request.
To sum up above-mentioned, by above-described embodiment provided by the invention, compensate for the deficiency of the access of existing terminal network and security management and control system, the introducing of virtual desktop technology, improves system deployment mode, achieves centralized control, improve terminal access security, reduce system safety hazards.
Management and control aspect: the every platform equipment of original technology manual setting, maintenance workload is large.New technology software is installed, the whole long-range realization of machines configurations change, centralized management, real-time monitor staff's operation behavior.
Fail safe aspect: original technology terminal hardware virus overflowing, easily causes network traffics to increase severely, the security management and control work of uncontrollable terminal.New technology, based on virtual machine architecture, realizes terminal hardware platform and cloud desktop physical isolation, reduces poisoning probability, backstage record operation vestige, multi-level safety control device and terminal conduit control techniques with the use of, be encrypted for terminal and transmission link, enhance system security.
Parallel processing capability and redundancy ability: new physical terminal+cloud desktop frame construction system implementation, give full play to the advantage that virtual machine is clustered in parallel processing and disaster tolerance aspect, system side concurrent processing peak period ability been significantly enhanced, disaster tolerance reaches Millisecond and switches, and switching efficiency significantly promotes.
Be only several specific embodiment of the present invention above, but the present invention is not limited thereto, the changes that any person skilled in the art can think of all should fall into protection scope of the present invention.
Claims (18)
1. a security management and control implementation method, is characterized in that, comprising:
Cloud desktop system is built based on cloud desktop technology;
Set up the connection of described cloud desktop system and terminal;
Via realizing described cloud desktop system alternately to the security management and control of described terminal between described cloud desktop system and described terminal.
2. method according to claim 1, is characterized in that, the connection of setting up described cloud desktop system and terminal comprises:
Described terminal sends the request obtaining Internet usage power to VPN (virtual private network) VPN device;
Described terminal receives the checking request coming from described VPN device, sends user authentication information to described VPN device;
After described user authentication information sends to authentication server to verify coupling by described VPN device, described terminal receives the address with access rights coming from described VPN device.
3. method according to claim 1, is characterized in that, comprising alternately between described cloud desktop system and terminal:
Described cloud desktop system is verified described terminal, and wherein, the mode of checking comprises: user name and static password are verified; Unifiedly calculate based on the international mobile equipment identification code IMEI of described terminal, thin client mark verify with static password; And dynamic verification code checking;
When being verified, and described terminal is current when there is not session, and described cloud desktop system is described terminal distribution remote server;
The operation application program on this remote server with user right configuration is presented in described terminal by described cloud desktop system.
4. method according to claim 3, is characterized in that, unifiedly calculates checking based on the international mobile equipment identification code of described terminal, thin client mark and comprises with static password:
Thin client in described cloud desktop system is connected with described terminal the IMEI obtaining described terminal by bluetooth;
Described IMEI and this thin client mark are sent to the certificate server in described cloud desktop system by described thin client;
The result of calculation got and the result of calculation of preserving when registering, with described static password compare for parameter calculates, when more consistent, determine to be proved to be successful with described IMEI, described thin client mark by described certificate server.
5. method according to claim 4, is characterized in that, before unifiedly calculating based on the international mobile equipment identification code of described terminal, thin client mark verify with static password, also comprises:
When described endpoint registration, described thin client is connected with described terminal the IMEI obtaining described terminal by bluetooth;
Described IMEI and this thin client mark are sent to the certificate server in described cloud desktop system by described thin client;
Described certificate server identifies with described static password for parameter calculates with described IMEI, described thin client, and preserves described result of calculation.
6. the method according to claim 4 or 5, is characterized in that, dynamic verification code checking comprises:
When the described result of calculation got is consistent with the result of calculation of preserving during registration, the remote date transmission RDS server triggers of described cloud desktop system produces described dynamic verification code and is handed down to described terminal;
Described RDS server receives the dynamic verification code coming from described terminal;
The dynamic verification code of described reception is sent to dynamic verification code certificate server and verifies by described RDS server, when this dynamic verification code is consistent with the identifying code preserved in advance, determines to be proved to be successful.
7. method according to claim 3, is characterized in that, when being verified, and described terminal is current when there is not session, and described cloud desktop system is that described terminal distribution remote server comprises:
When being verified, the conversation server in described cloud desktop system inquires about whether described terminal is current exists session;
When not inquiring described terminal session, described conversation server sends Query Result to described RDS server, and notifies that described RDS server is for remote server described in described terminal distribution;
Described RDS server is the remote server of described terminal distribution optimum according to RDS resource pool server state.
8. method according to claim 3, is characterized in that, the operation application program on this remote server with user right configuration is presented in described terminal and comprises by described cloud desktop system:
Described remote server receives the request coming from the acquisition user configuration information of described terminal;
Described request is sent to configuration server by described remote server;
Described configuration server inquiring user authority storehouse, is confirmed whether the user's claim file that there is this terminal;
If existed, then notify that described RDS server downloads this user right configuration file; If there is no, then notifying described RDS server, is that described terminal generates new user right configuration file to make described RDS server according to security configuration template;
The operation application program on this remote server with user right configuration is presented in described terminal by described remote server.
9. method according to claim 3, is characterized in that, described cloud desktop system also comprises after being presented in described terminal by the operation application program on this remote server with user right configuration:
When described remote server cannot receive the user instruction coming from described terminal, initiate to open auto state and keep request, session status rests on current state and hangs up;
If described remote server receives the user instruction coming from described terminal in the given time, automatically keep function to come into force, described remote server recovers the service interaction with BOSS server; If not, automatically keep disabler, initiate to delete User Status and close service request.
10. security management and control realizes a system, it is characterized in that, comprising:
Terminal, for setting up the connection between cloud desktop system;
Based on the described cloud desktop system that cloud desktop technology builds, for setting up the connection with described terminal, via the mutual realization between described terminal to the security management and control of described terminal.
11. systems according to claim 10, is characterized in that, also comprise:
VPN (virtual private network) VPN device, for receiving the request of the acquisition Internet usage power that described terminal sends, checking request is sent to described terminal, reception comes from the user authentication information of described terminal and sends to authentication server to verify, when verifying coupling, send the IP address with access rights to described terminal;
Described authentication server, for verifying described user authentication information.
12. 1 kinds of cloud desktop systems, is characterized in that, described system builds based on cloud desktop technology, comprising:
Connected system, for setting up the connection with terminal;
Interactive system, for via the mutual realization between described terminal to the security management and control of described terminal.
13. systems according to claim 12, is characterized in that,
Described interactive system, be further used for verifying described terminal, wherein, the mode of checking comprises: user name and static password are verified; Unifiedly calculate based on the international mobile equipment identification code IMEI of described terminal, thin client mark verify with static password; And dynamic verification code checking; When being verified, and described terminal is current when there is not session, is described terminal distribution remote server; And the operation application program on this remote server with user right configuration is presented in described terminal.
14. systems according to claim 13, is characterized in that, described interactive system comprises:
Thin client, for being connected with described terminal the IMEI obtaining described terminal by bluetooth; Described IMEI and this thin client mark are sent to certificate server;
Described certificate server, for, with described static password comparing the result of calculation got and the result of calculation of preserving when registering for parameter calculates, when more consistent, determine to be proved to be successful with described IMEI, described thin client mark.
15. systems according to claim 13, is characterized in that, described interactive system also comprises:
Remote date transmission RDS server, for when described certificate server authentication success, triggers producing described dynamic verification code and be also handed down to described terminal; Receive the dynamic verification code coming from described terminal; The dynamic verification code of described reception is sent to dynamic verification code certificate server;
Described dynamic verification code certificate server, for when this dynamic verification code is consistent with the identifying code preserved in advance, determines to be proved to be successful.
16. systems according to claim 13, is characterized in that, described interactive system also comprises:
Conversation server, for when being verified, inquires about whether described terminal is current exists session; When not inquiring described terminal session, send Query Result to RDS server;
Described RDS server, for according to RDS resource pool server state being the remote server of described terminal distribution optimum.
17. systems according to claim 13, is characterized in that, described interactive system also comprises:
Described remote server, for receiving the request of the acquisition user configuration information coming from described terminal; Described request is sent to configuration server; The operation application program on this remote server with user right configuration is presented in described terminal;
Described configuration server, for inquiring user authority storehouse, is confirmed whether the user's claim file that there is this terminal;
RDS server, also for when there is user's claim file of this terminal, downloads this user right configuration file; When there is not user's claim file of this terminal, be that described terminal generates new user right configuration file according to security configuration template.
18. systems according to claim 13, is characterized in that, described interactive system also comprises:
Described remote server, during for receiving the user instruction coming from described terminal, initiate to open auto state and keep request, session status rests on current state and hangs up; If receive the user instruction coming from described terminal in the given time, automatically keep function to come into force, recover the service interaction with BOSS server; If not, automatically keep disabler, initiate to delete User Status and close service request.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310751050.9A CN104753887B (en) | 2013-12-31 | 2013-12-31 | Security management and control implementation method, system and cloud desktop system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310751050.9A CN104753887B (en) | 2013-12-31 | 2013-12-31 | Security management and control implementation method, system and cloud desktop system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104753887A true CN104753887A (en) | 2015-07-01 |
| CN104753887B CN104753887B (en) | 2018-02-23 |
Family
ID=53593002
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310751050.9A Active CN104753887B (en) | 2013-12-31 | 2013-12-31 | Security management and control implementation method, system and cloud desktop system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104753887B (en) |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105515874A (en) * | 2015-12-26 | 2016-04-20 | 华为技术有限公司 | Method for deploying network in virtual private cloud, related devices and deploying system |
| CN105791265A (en) * | 2016-01-08 | 2016-07-20 | 国家电网公司 | Network element security detection method and system |
| CN106022146A (en) * | 2016-05-24 | 2016-10-12 | 北京朋创天地科技有限公司 | Dynamic linking control method facing virtual desktop resource protection |
| CN107346380A (en) * | 2016-05-05 | 2017-11-14 | 北京北信源软件股份有限公司 | A kind of anti-data-leakage system and method based on RDP |
| CN107770160A (en) * | 2017-09-30 | 2018-03-06 | 深信服科技股份有限公司 | Data security protection method, equipment and computer-readable recording medium |
| CN108021426A (en) * | 2017-12-29 | 2018-05-11 | 上海海加网络科技有限公司 | A kind of desktop cloud system |
| CN108092946A (en) * | 2016-11-23 | 2018-05-29 | 中国移动通信集团广东有限公司 | A kind of method and system for having secure access to network |
| CN108365966A (en) * | 2017-12-29 | 2018-08-03 | 河南智业科技发展有限公司 | A kind of no BIOS designs cloud microterminal |
| CN109033840A (en) * | 2018-06-28 | 2018-12-18 | 成都飞机工业(集团)有限责任公司 | The method that a kind of pair of terminal carries out censorship |
| CN109257213A (en) * | 2018-09-07 | 2019-01-22 | 广东电网有限责任公司 | Judge the method and apparatus of terminal access authentication failed |
| CN110138798A (en) * | 2019-05-27 | 2019-08-16 | 深圳前海微众银行股份有限公司 | Cloud desktop management method, apparatus, equipment and readable storage medium storing program for executing |
| CN110443038A (en) * | 2019-08-02 | 2019-11-12 | 贵州电网有限责任公司 | A kind of portable ciphering type network security compliance automatic inspection device of desktop terminal |
| CN110851863A (en) * | 2019-11-07 | 2020-02-28 | 北京无限光场科技有限公司 | Application program authority control method and device and electronic equipment |
| CN111813627A (en) * | 2020-07-06 | 2020-10-23 | 深信服科技股份有限公司 | Application auditing method, device, terminal, system and readable storage medium |
| CN112532566A (en) * | 2019-09-18 | 2021-03-19 | 神州云端(深圳)科技有限公司 | Internet and local area network cloud desktop user unified authentication method and system |
| CN112600709A (en) * | 2020-12-15 | 2021-04-02 | 西安飞机工业(集团)有限责任公司 | Management system for local area network terminal and use method |
| CN113204399A (en) * | 2021-04-16 | 2021-08-03 | 广州朗国电子科技有限公司 | Cloud desktop intelligent terminal management method, electronic equipment and storage medium |
| CN113613249A (en) * | 2021-06-29 | 2021-11-05 | 福建升腾资讯有限公司 | Bluetooth-based cloud desktop automatic login method and system |
| CN114168529A (en) * | 2021-11-24 | 2022-03-11 | 广州明动软件股份有限公司 | Archive management system based on cloud archive |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080263217A1 (en) * | 2006-12-05 | 2008-10-23 | Nec Corporation | Connection control in thin client system |
| CN102394755A (en) * | 2011-11-21 | 2012-03-28 | 上海凯卓信息科技有限公司 | Intelligent security card-based identity authentication method for mobile officing |
| CN102571733A (en) * | 2010-12-31 | 2012-07-11 | 中国移动通信集团陕西有限公司 | Access method and system for business operation support system (BOSS), and cloud computing platform |
| CN103312744A (en) * | 2012-03-12 | 2013-09-18 | 中国移动通信集团黑龙江有限公司 | Business management method, platform and system based on cloud desktop |
-
2013
- 2013-12-31 CN CN201310751050.9A patent/CN104753887B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080263217A1 (en) * | 2006-12-05 | 2008-10-23 | Nec Corporation | Connection control in thin client system |
| CN102571733A (en) * | 2010-12-31 | 2012-07-11 | 中国移动通信集团陕西有限公司 | Access method and system for business operation support system (BOSS), and cloud computing platform |
| CN102394755A (en) * | 2011-11-21 | 2012-03-28 | 上海凯卓信息科技有限公司 | Intelligent security card-based identity authentication method for mobile officing |
| CN103312744A (en) * | 2012-03-12 | 2013-09-18 | 中国移动通信集团黑龙江有限公司 | Business management method, platform and system based on cloud desktop |
Non-Patent Citations (1)
| Title |
|---|
| 王欢等: "《基于云环境的安全管控平台》", 《安徽电子信息职业技术学院学报》 * |
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105515874B (en) * | 2015-12-26 | 2019-04-23 | 华为技术有限公司 | The method of on-premise network and relevant apparatus and system in virtual private cloud |
| CN105515874A (en) * | 2015-12-26 | 2016-04-20 | 华为技术有限公司 | Method for deploying network in virtual private cloud, related devices and deploying system |
| CN105791265A (en) * | 2016-01-08 | 2016-07-20 | 国家电网公司 | Network element security detection method and system |
| CN107346380A (en) * | 2016-05-05 | 2017-11-14 | 北京北信源软件股份有限公司 | A kind of anti-data-leakage system and method based on RDP |
| CN106022146A (en) * | 2016-05-24 | 2016-10-12 | 北京朋创天地科技有限公司 | Dynamic linking control method facing virtual desktop resource protection |
| CN106022146B (en) * | 2016-05-24 | 2018-01-12 | 北京朋创天地科技有限公司 | A kind of Dynamic link library control method of Virtual desktop protection of resources |
| CN108092946A (en) * | 2016-11-23 | 2018-05-29 | 中国移动通信集团广东有限公司 | A kind of method and system for having secure access to network |
| CN107770160A (en) * | 2017-09-30 | 2018-03-06 | 深信服科技股份有限公司 | Data security protection method, equipment and computer-readable recording medium |
| CN107770160B (en) * | 2017-09-30 | 2021-03-09 | 深信服科技股份有限公司 | Data security protection method, device and computer readable storage medium |
| CN108021426A (en) * | 2017-12-29 | 2018-05-11 | 上海海加网络科技有限公司 | A kind of desktop cloud system |
| CN108365966A (en) * | 2017-12-29 | 2018-08-03 | 河南智业科技发展有限公司 | A kind of no BIOS designs cloud microterminal |
| CN109033840A (en) * | 2018-06-28 | 2018-12-18 | 成都飞机工业(集团)有限责任公司 | The method that a kind of pair of terminal carries out censorship |
| CN109257213A (en) * | 2018-09-07 | 2019-01-22 | 广东电网有限责任公司 | Judge the method and apparatus of terminal access authentication failed |
| CN109257213B (en) * | 2018-09-07 | 2021-06-29 | 广东电网有限责任公司 | Method and device for judging computer terminal access verification failure |
| CN110138798A (en) * | 2019-05-27 | 2019-08-16 | 深圳前海微众银行股份有限公司 | Cloud desktop management method, apparatus, equipment and readable storage medium storing program for executing |
| CN110138798B (en) * | 2019-05-27 | 2023-04-07 | 深圳前海微众银行股份有限公司 | Cloud desktop management method, device and equipment and readable storage medium |
| CN110443038A (en) * | 2019-08-02 | 2019-11-12 | 贵州电网有限责任公司 | A kind of portable ciphering type network security compliance automatic inspection device of desktop terminal |
| CN112532566A (en) * | 2019-09-18 | 2021-03-19 | 神州云端(深圳)科技有限公司 | Internet and local area network cloud desktop user unified authentication method and system |
| CN110851863A (en) * | 2019-11-07 | 2020-02-28 | 北京无限光场科技有限公司 | Application program authority control method and device and electronic equipment |
| CN111813627A (en) * | 2020-07-06 | 2020-10-23 | 深信服科技股份有限公司 | Application auditing method, device, terminal, system and readable storage medium |
| CN112600709A (en) * | 2020-12-15 | 2021-04-02 | 西安飞机工业(集团)有限责任公司 | Management system for local area network terminal and use method |
| CN113204399A (en) * | 2021-04-16 | 2021-08-03 | 广州朗国电子科技有限公司 | Cloud desktop intelligent terminal management method, electronic equipment and storage medium |
| CN113613249A (en) * | 2021-06-29 | 2021-11-05 | 福建升腾资讯有限公司 | Bluetooth-based cloud desktop automatic login method and system |
| CN113613249B (en) * | 2021-06-29 | 2023-11-10 | 福建升腾资讯有限公司 | Bluetooth-based cloud desktop automatic login method and system |
| CN114168529A (en) * | 2021-11-24 | 2022-03-11 | 广州明动软件股份有限公司 | Archive management system based on cloud archive |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104753887B (en) | 2018-02-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104753887A (en) | Safety control implementation method and system and cloud desktop system | |
| US10594801B2 (en) | Virtual hosting device and service to provide software-defined networks in a cloud environment | |
| CN105027493B (en) | Safety moving application connection bus | |
| CN105027529B (en) | Method and apparatus for verifying user's access to Internet resources | |
| CN104125565A (en) | Method for realizing terminal authentication based on OMA DM, terminal and server | |
| JP2012526454A5 (en) | ||
| CN101277308A (en) | Method for insulating inside and outside networks, authentication server and access switch | |
| CN104247486A (en) | Establishing connectivity between an enterprise security perimeter of a device and an enterprise | |
| CN103312744A (en) | Business management method, platform and system based on cloud desktop | |
| CN100401706C (en) | Access method and system for client end of virtual private network | |
| CN104754582A (en) | Client and method for maintaining BYOD (Bring Your Own Device) safety | |
| CN113068187B (en) | Unmanned aerial vehicle-assisted terminal access authentication method, system, equipment and application | |
| CN101986598A (en) | Authentication method, server and system | |
| CN112804354B (en) | Method and device for data transmission across chains, computer equipment and storage medium | |
| CN114205815A (en) | Method and system for authentication control of 5G private network | |
| CN101640685A (en) | Method and system for delivering private attribute information | |
| CN103684958A (en) | Method and system for providing flexible VPN (virtual private network) service and VPN service center | |
| CN103475491A (en) | Remote maintenance system which is logged in to safely without code and achieving method | |
| CN104902470A (en) | Access control method and system for wireless hotspot based on dynamic keys | |
| CN102752752B (en) | base station maintenance method and apparatus | |
| CN103516683A (en) | Remote server system with offline terminals | |
| CN104917750B (en) | A kind of key-course towards SDN and data Layer communication port self-configuration method and its system | |
| CN107948134A (en) | Data interactive method and device | |
| CN114254352A (en) | Data security transmission system, method and device | |
| JP6150137B2 (en) | Communication device, heterogeneous communication control method, and operation management expertise exclusion method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |